https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-07-15
MinutesRoll call
Quorum was NOT reached.
Approve minutes
- Approve minutes of UMA telecon 2021-06-10
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-06-10>
, UMA telecon 2021-06-17
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-06-17>
, UMA telecon 2021-06-24
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-06-24>
, UMA telecon 2021-07-01
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-07-01>
, UMA telecon 2021-07-08
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-07-08>
Deferred
ANCR/UMA initial understanding
https://groups.google.com/g/kantara-initiative-uma-wg/c/EzbI7kjc_MU/m/NLX_0…
Short flow
1. Alice visit's Bob's Organization(site/service) website
2. Bob returns a notice that references a third party registry
3. Alice is able to independently lookup Bob's notice from the registry
4. Alice requests a notarized receipt from the registry, including Bob's
notice and her Rights (eg the law's of the country she lives in)
5. Alice includes this receipt in requests as she interacts with Bob's
service
6. Bob is able to use the receipt token to interact with Alice's
information, either in requests for authorization/information (eg as a
token/claim)
ANCR current state: documentation of the receipt: Bob's notice, Alice's
rights assertion, the notarized ANCR receipt
Next steps: Getting ANCR receipt fields to be part of the ISO 27560 consent
receipt 1.2 spec, publish within Kantara. Move from receipt definition to
flows/protocol integrations
The receipt creates transparency for Alice to discover and understand the
sites/services terms, controller, etc. Steps 1-5 would be part of a
Browser/extension implementation and could be broadcasted through headers
(for example). Alice could include in her notarized receipt where BOb's
service could discover her information, eg her UMA Auth server or relevant
resource locations.
>From initial contact, Alice is able to monitor service term changes through
the registry. The 'registry' doesn't necessarily need to be a 3rd party,
the site itself could host this to achieve the transparency outcome. Self
assertion like this can still reference third parties, who don't need to
know about ANCR. For example in the UK there is a public business registry
with the Controllers listed, the site itself can reference that endpoint.
Can a service be registered with multiple registries? yes
ANCR is having an off cycle meeting 1130(?) Monday. They usually meet
Wednesday at 1030ET
Advanced Notice and Consent Receipt: Advanced Notice & Consent Receipt -
ANCR-WG
<https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=14080…>
Anyone attending HIMSS?
IDENTOS will have some representation there (not Alec), presenting their
TrustSphere project in BC
Has Kantara ever provided funding support to attend/present posters/papers?
Kantara is open for funding requests, if interested please reach out to
Alec(or any WG chair) and they'll help with the request to the Leadership
Council. Largely attendance have been self-funded
Relationship Manager - user stories
Review the Diagram:
https://groups.google.com/g/kantara-initiative-uma-wg/c/WAnizgl08Fg/m/YjflL…
Last week we got into the details and questions around discovery. It may
not need to be part of the core UMA AS function, and could be a 3rd service
specification (with some intersection to the ANCR registry concepts)
Implementing the UMA spec is not enough, need to have use-cases to fill the
gaps and details (and to 'get creative'). This has made interop challenging
between implementations. There's a bunch of work around UMA that are
required to show implementation. Maybe a simple interop profile around a
use-case would allow us to show us working together. One example, who owns
+ stores the PAT. Communicating the handle (uri) from RO to RqP
AOB
Please welcome Kay Chopard as the new Kantara Executive Director!
Attendees
As of October 26, 2020, quorum
<http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is
5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
Voting:
1. Steve
2. Alec
3. Sal
Non-voting participants:
1. Zhen
2. Scott
Regrets:
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-07-08
MinutesRoll call
Quorum was NOT reached.
Approve minutes
- Approve minutes of UMA telecon 2021-06-10
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-06-10>
, UMA telecon 2021-06-17
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-06-17>
, UMA telecon 2021-06-24
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-06-24>
, UMA telecon 2021-07-01
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-07-01>
Deferred
Relationship Manager - user stories
Review the Diagram:
https://groups.google.com/g/kantara-initiative-uma-wg/c/WAnizgl08Fg/m/YjflL…
Discussion Recording (split into 4 parts)
2021-05-20 13.24 UMA Working Group Part 1.mp4
<https://kantarainitiative.org/confluence/download/attachments/147488962/202…>
2021-05-20 13.24 UMA Working Group Part 2.mp4
<https://kantarainitiative.org/confluence/download/attachments/147488962/202…>
2021-05-20 13.24 UMA Working Group Part 3.mp4
<https://kantarainitiative.org/confluence/download/attachments/147488962/202…>
2021-05-20 13.24 UMA Working Group Part 4.mp4
<https://kantarainitiative.org/confluence/download/attachments/147488962/202…>
Here's a token and here's where to go: OIDC distributed claims. Existing
mechanism to pair and endpoint with a token
Want to be able to still share a URL and have flow work. This is a
discovery mechanism, has many privacy implications, eg user understanding
what the policy means. How does the user really know what will happen, do
we need a notification mechnism to allow review ahead of the disclosure? We
don't nessicarily want it to be a revocation after the data is shared. In
this case the consent needs to be just in time, eg Alice is notified about
the specific request based on the more general policy. This is back to the
CIBA/liberty alliance interaction service, where the the AS can reach out
to the RO. One the client side this is handled by the request_submitted
token response.
How would discovery be layed on top of the existing protocol (vs overload).
Discovery creates AS-first (or discovery server-first) flows
- exposing the UMA Fedz resource API to the client
- two step process, the client/RqP are first identified to the AS, to
get access to an AS hosted resource API
- A discovery endpoint, the client goes there first and then gets a
ticket to use with a token endpoint
- who hosts discovery endpoint? can is cross AS's, it is discovery
only for the UMA protected URL, where each URL can be independantly
protected.
- pass in the resource id (eg resource indicators) to the token
endpoint with a PCT
We are separating discovery from existing UMA flow/roles, it can be
co-located with an AS or entire separate service, in future could be
colocated with RM (Alice shares he RM url instead of specific URLS)
In UMA, I pick an AS, all of my/Bob's services go through my AS to get
authZ to my resources. Reality has shown there are likely 3/4 different
ASs → this is one purpose of the RM, to be a layer that serves Alice
directly. Comes down to where agreegation happens, and who knows about it,
how this makes Alice's life easier to manage her distributed information.
We are seperating the policy of discoverability from the authorization to
access, they have different policy needs. If these are different, why allow
discovery? Because Alice wants transparency and want to understand the
different risks. Knowing that Alice takes landscape photos may be
discovery, while access to specific photos may want to be controlled. This
goes back to a general policy around discvoery (all photographers can
discover) vs the specific RqP (only selected photographers can access
specific photos, tiered access)
Discoverability works well where there are a small amount of URLs, however
in complicated APIS, there could be 100+. There can be expansion to
'wildcard' urls or types of resources vs the specific URI.
RS first access lacks mechanisms for intent. The RS must extrapolate from a
single request the scope of resources to includes in the permission ticket.
Discovery allows client/RqP to speak to there intent, eg as a client I can
understand only specific resource types, however the RS can't know this
ahead of time. We want to match the granted resources to the
intent/capability of the Client. Bob can show up and declare what privacy
obligations he'll uphold, and leave the notarized receipt with the AS for
Alice to follow up with eg Data Controller information. Rather than audit
trail, the receipt is meant to be one-time signal that be compared over
time and allows the identification of policy change. On all resource
accesses the AS receives a new and comparable-to-previous receipt.
I'm a health care system or photo sharing systems, the site needs to
standalone. The could be cases where an RS is trying to add authz
capabilities, this can be delegated to the UMA environment without major
changes to the core RS. UMA needs to work for both scenarios.
*The interesting questions always comes back to liability, if the AS is the
authority and the RS releases the wrong data, the AS still needs to take
the liability. *The RS is the data custodian, and they always have
liabity/responsibility to the RO. If company A uses UMA as technology for
RS/AS/RM/Discovery, then there is little liability question, it's all in
the same place. Once the ecosystem is wider, where company A holds the
data, and delegates authZ to an AS of company B, now the liability split is
less clear.
When PDP did the dashboard, there is an idea of consent boundaries.
Anything happening at the RP on behalf of the RO, has a separate consent
boundary, between teh client software and the RqP.
The ANCR would allow Bob/Client to create the notice receipt to the
discovery mechnism so that Alice is able to see what terms we're accepted.
>From RqP perspective, access is based on presented claims, to meet Alice's
policy. Bob wants to set his terms for sharing those claims with an AS(?)
The policy within the AS is not-specified, the ANCR could be a profiled
claim type for Alice/Bob to both understand the legal
requirements/expectations for the claim handling. Purpose is to reduce the
cognitive load on Alice/Bob to understand the terms, having a common
vocabulary vs ad-hoc TOSs.
As an RqP, I can define an ANCR receipt, in order to specific my
requirements for claims handling. THis could be a claims presentation to
the AS. There are two privacy rights that need to be balanced:
Alice→arbitrary client vs Bob→arbitrary AS. In ANCR, there is a cyber
rights notary, when Bob wants access he see's Alice's preestablished
policy.
AOB
Attendees
As of October 26, 2020, quorum
<http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is
5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
Voting:
1. Thomas
2. Alec
3. Domenico
4. Sal
Non-voting participants:
1. George
2. Ian
Regrets:
1. Eve
2. Nancy
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-07-08>
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-07-01
MinutesRoll call
Quorum was NOT reached.
Approve minutes
- Approve minutes of UMA telecon 2021-06-10
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-06-10>
, UMA telecon 2021-06-17
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-06-17>
, UMA telecon 2021-06-24
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-06-24>
Deferred
Relationship Manager - user stories
As RqP Bob(reserach), I want to be able to request access to a set of
Alice's resources (heath information) directly from Alice's AS without
knowledge of their location(health record repositories), because I don't
have to bother getting or caring about all the locations from Alice first
(since there is no direct relationship between Alice and the researcher)
A reseacher may discover health records that have been authorized for them
to access, without needing a direct relationship with the RO. In this case,
Alice can mark her resources at the AS as being approved for someone with a
specific claim. THis isn't a specific consent, ie to a specific RqP,
instead she's specifying the claims that the RqP must present (such as a
particular study, or researchers from specific IDPS). How she knows which
avaialble studies/research institutes would have to be part of the trust
ecosystem known to the AS. The AS can define the size of this ecosystem.
The rule at the AS *"I Alice allow people with claim=researcher from
idp=[baylor, acme] to access these specific health resources=[A@RS1, B@RS2,
Immz@RS2]"*. This next component of this is how that Client/RqP can
understand the scheme/type of the resource being accessed. The Client
should be requesting and receiving resources that are useful to it and not
other ones (data minimization).
This reflects the "three layers or interop", ecosystem, protocol, schema.
If 3/3 aren't there things don't work...
How granular can these rules be (resource type, specific resource, resource
+ scopes) be? , "my health record = patient/*.*" "read my heath record
*.read" FHIR has some ability to be queried in graph-y ways, however
usually it's very scope based. in SMARTonFHIR, the whole RS is the Resource
and you specific scopes for specific "patient.read oberervation.read ..."
then you can further apply confidentiality (conf/*) or sensitivity scopes
(sens/*), however those apply to the entire set of scopes.
In genetic disease, the gene has a list of many mutations that could be
queries, relevant to specific conditions. Or the entire gene, or types of
how that gene is captures (microarray, single cell experiment). ANother
example where the client/RqPs ability to understand and use the data should
be assessed before giving access to the data. They might only need to know
if there is a specific mutation, not the whole sequence. Or a set of genes
relevant to breast cancer. There is a need to understand the purpose before
giving more holistic information, it depends on the person who is
investigating
Is the gene the resource? Resource=(gene), scopes=(diseaseA, diseaseB,
phenotypeD, specific-featureC, single-cell-experiment). The client/rqp can
be filtered against the avaialbe gene resources based on those scopes.
There are vocabularies that are standardized through industry that would
help create this language to drive interoperability (the schema level
interop)
What audit capabilities would Alice have to see who/what institutes
actually access her information? The AS should be able to provide this, and
the RS would be able to provide even more specificity. Alice must be able
to understand up front what level of audit she will receive. There is a
dichomoty of behaviour a) people who wont' check and b) people who will and
take action on this information. *ANCR intersection,* when the CLient is
granted access lodge a consent receipt for Alice's records? This CR can be
pushed as a claim (json) for Alice to understand how the Client will treat
her data, who to contact etc
Alice is delegating some interrogation of Clients to the AS, the blanket
consent statement can't consider all Client terms (since Alice isnt'
present at that time),
There is a need for Bob to know the AS at which to request access from
As RqP Bob(financial advisor), I want to be able to request access to a set
of Alice's resources (pension information) directly from Alice's AS without
knowledge of their location(specific pension providers), because I don't
have to bother getting or caring about all the locations from Alice first
(since this is cumbersome to Alice and the Advisor)
The rule at the AS *"I Alice allow people with claim=advisor,
myadvisor(a)advisingcompany.com <myadvisor(a)advisingcompany.com> from
idp=[advisor idp] to access these specific pension resources=[A@PP1,
B@PP2]"*. The resources available in this rule are the registered resources
from an earlier discovery/registration step (both cases). This also allwos
the RS to not guess what resources and scopes the Client needs based on the
inititial request with the URL (RPT-less request), the AS has a much
clearer idea about the Clients capability and what specificifally has been
granted after claims gathering has occured.
Reviewing the Diagram:
https://groups.google.com/g/kantara-initiative-uma-wg/c/WAnizgl08Fg/m/YjflL…
Is there an alternative where Alice tells the AS, my resources are here
(RS)? This could be the AS as RelationshipManageer, where the RM reaches
out to the RS to read the available resources. The challenges is still in
PAT establishment.
Could Alice create policy before resources are registered? This is getting
closer to delegation/consent vs protocol level
UMA Interop Testing
Deferred
AOB
Attendees
As of October 26, 2020, quorum
<http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is
5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
Voting:
1. Peter
2. Alec
3. Domenico
Non-voting participants:
1. Zhen
2. Ian
3. Scott
Regrets:
1. Steve
Hi, as requested have collected the user stories we've looked at around the
Wallet/ Relationship Manager drafts for discussion tomorrow
From:
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-11-19
As RqP Bob, I want to be able to request access to a set of Alice's
resources directly from Alice's AS without knowledge of their location,
because I don't have to bother getting or caring about all the locations
from Alice first.
As client C used by RqP Bob, want to be able to request access to a set of
Alice's resources directly from Alice's AS on Bob's behalf without
knowledge of their location, because I don't have to retrieve the locations
first.
—
From:
https://groups.google.com/g/kantara-initiative-uma-wg/c/f0g98sr22Rw/m/M5jK9…
As a RO, I want to manage my resources independently of each individual RS
(UMA core prop)
As an AS, I want to decouple the consent management UX from the
authorization services,
As a RO, I need a personally controlled user-agent (UMA Wallet) to manage
my key material, in order to maintain personal-agency in ecosystems
As a RO, I want to authorize a "UMA Wallet" to manage RS resources, so that
I have a single view into my available RS's and Resources
As a RS, I need Alice to authenticate in order to determine which resources
she can manage, in order to ensure appropriate management access
As a RS, I need Alice to establish credentials (pub key), so that I can
trust externally asserted policy was issued with Alice
AS a RS, I need to trust delegations signed by Alice's key, so that Alice
can allow Bob (other keys...) or <<claims gathering condition>> to access
her resources
As a RS, I may delegate resource management user experience, so that I can
focus of my core service to the RO
As an RS, I need to know which AS(s) Alice wants to use, in order to
delegate access control (uma core)
As an AS, I want to delegate RqP identification to a UMA Wallet, so that
- a RqP can choose their private key and consent management provider
- I can avoid directly holding or seeing a users personal details
Best,
- Alec
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-06-24
MinutesRoll call
Quorum was NOT reached.
Approve minutes
- Approve minutes of UMA telecon 2021-06-10
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-06-10>
, UMA telecon 2021-06-17
<https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-06-17>
Deferred
Relationship Manager - user stories
From:
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-11-19
As RqP Bob, I want to be able to request access to a set of Alice's
resources directly from Alice's AS without knowledge of their location,
because I don't have to bother getting or caring about all the locations
from Alice first.
- this one was more related to resource definitions - not resource
manager
- Alice can give discovery handle (uri to resource), or since Alice's
stuff may be in many places, Bob can discover all of the location's by
Alice only sharing the AS (as the discover function)
- SAML 1.0 only have IDP initiated SSO, then expanded to other use-cases
eg SP initiated SSO. UMA so far has deferred discovery, however this brings
it back into the scope
- it's not hard to be told which RS, eg registered the resource_location
with the resource
- there are potential security/privacy concerns with this approach
- Is the client request bounded to a specific RO from the offset.
- Client says to AS, "im looking for these types of resources
(types/definitions/indicators) with these scopes" ie by using a UMA Fedz
Permission endpoint exposed to the Client
- AS returns a UMA ticket and can continue through UMA grant
(pushed/interactive claims)
- What granularity is the Client/RqP making this initial request for
resources? Over resource descriptions: resource type + scopes
- *There are major implications for the token response to the Client:
token_type, multiple access tokens, including the resource_location + type*
- Previously only one Resource Server is ever granted (maybe over
many specific resources), however this requires only 1 token
- want to maintain the resource server constrained access tokens
- another option is we token response in maintained, and the client
makes multiple token requests (eg with the PCT) and the specific resource
type/indicator
- PCT fits within current UMA model since the PCT allows the
client to get new access tokens for other RSs without having
to go through
claims gathering again
- This may also enable the RS to register as a resource type
provider, is there a way that no specific resources need to be registered
at the AS, and that Alice's "ID" is what's conveys back to the RS
- fits when paths/uris at the RS are not specific (eg /me/profile vs
/alice/profile)
- gets back into the relationship manager profile, where Alice pushes
RS known sub to the AS which can be returned to the RS through
introspection (or the RPT)
{
"access_token":"sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv",
"token_type":"Bearer",
"resource_type" : "http://resourcetyperegistry.com/a/resource/type" <-
this is the contract with the client over what the response from the RS
will be
"resource_location" : "http://thisspecificrs.com/path/to/resource"
}
// this is a non-conforming to oauth2 as the access_token isn't a string
{
"access_tokens":[
{bearer access token with resource location}
]
"token_type":"Multi"
}
As client C used by RqP Bob, want to be able to request access to a set of
Alice's resources directly from Alice's AS on Bob's behalf without
knowledge of their location, because I(client) don't have to retrieve the
locations first.
- the client doesn't have to collect a resource location from Bob before
starting the flow, can have a direct relationship with the AS
—
From:
https://groups.google.com/g/kantara-initiative-uma-wg/c/f0g98sr22Rw/m/M5jK9…
As a RO, I want to manage my resources independently of each individual RS
(UMA core prop)
- Alice has resources at many resource servers
- In an ideal UMA world, Alice is able to choose her authorization
server, and all clients are able to dynamically interact with it. Another
case is that the Authorization Server is run for Alice and registers a
specific set of clients. Therefore, Alice/Bob may need to interact with
multiple authorization servers in order to use the clients they want to.
- could we look at the business persons vs user personas
- eg the RS operators doesn't trust certain
- in the bowtie, the RS has 'no-trust' with the client, however this
means it needs trust in some TTP
- this is still an excellent goal, however it requires the RS to
have direct vetting/relationships with all clients. The RS may have
accumulated the resources during some other business purpose and never
intended to become an Authorization Server also.
- As the custodian, the RS has the most liability in disclosing the
resource
As an AS(RS) operator, I need statically registered clients (clients +
RSs), in order to meet my federation assurance requirements
As an RS operator, I don't want to trust any RO chosen AS, because I need
strong federation assurance (I can't trust a individual person)
As an RS operator, I want to register resources with specific trusted AS,
in order to meet my federation assurance
As an RS operator, I want to delegate RP registration and authorization, as
I never intended to take on this responsibility/cost
federation issuance is short-hand for trust framework,
legal/regulatory/compliance requirements (I can't trust anyone)
These necessarily narrow the ecosystem, UMA+these drafts aim to widens the
ecosystem again and remove the need to 1-1 agreements between all parties.
- AS holds the agreements with the Client and RS, no Client<>RS
agreements is required ('no-trust')
- Where does the RO fit into this agreement system? We want to allow the
RO to experience agency as they participate in this ecosystem
- Can we describe the resulting trust model in GDPR terms.
- How does this fit the ANCR receipt, consent token/grant type seems
forced?
- Is a consent receipt from the client a required claims for
presentation?
- The client is the one that Alice's information is disclosed to,
seems like it(the client) needs to be the one providing Alice a
receipt of
this (with the contact information etc)
Alec will attempt to organize these use cases into a document for
solicitation. We need to get less technical and more business/legal
feedback on these goals
As an AS, I want to decouple the consent management UX from the
authorization services,
- less required, but motivates the relationship manager client
As a RO, I need a personally controlled user-agent (UMA Wallet) to manage
my key material, in order to maintain personal-agency in ecosystems
As a RO, I want to authorize a "UMA Wallet" to manage RS resources, so that
I have a single view into my available RS's and Resources
As a RS, I need Alice to authenticate in order to determine which resources
she can manage, in order to ensure appropriate management access
As a RS, I need Alice to establish credentials (pub key), so that I can
trust externally asserted policy was issued with Alice
AS a RS, I need to trust delegations signed by Alice's key, so that Alice
can allow Bob (other keys...) or <<claims gathering condition>> to access
her resources
As a RS, I may delegate resource management user experience, so that I can
focus of my core service to the RO
As an RS, I need to know which AS(s) Alice wants to use, in order to
delegate access control (uma core)
As an AS, I want to delegate RqP identification to a UMA Wallet, so that
- a RqP can choose their private key and consent management provider
- I can avoid directly holding or seeing a users personal details
New term "*BOLTS*"
- Business
- operational
- legal
- technical
- social
UMA Interop Testing
AOB
Attendees
As of October 26, 2020, quorum
<http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is
5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
Voting:
1. Eve
2. Steve
3. Alec
Non-voting participants:
1. Nancy
2. Tim
Regrets:
1. Domenico
